From gregory.lebras@security-corporation.com Fri Jul 11 21:51:02 2003
From: Gregory LEBRAS
To: vulnwatch@vulnwatch.org
Date: Thu, 10 Jul 2003 22:34:15 +0200
Subject: [VulnWatch] [SCSA-019] Gattaca Server 2003 Vulnerable to Multiple
vulnerabilities
[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
=====================================================================
Security Corporation Security Advisory [SCSA-019]
Gattaca Server 2003 Vulnerable to Multiple vulnerabilities
=====================================================================
PROGRAM: Gattaca Server 2003
HOMEPAGE: www.gattaca-server.com
VULNERABLE VERSIONS: 1.0.8.1 and prior ?
RISK: Low/Medium
IMPACT: Show file and directory content
Denial of Service
Directory Traversal
Cross Site Scripting
RELEASE DATE: 2003-07-10
Security Corporation's Free weekly Newsletter :
http://www.security-corporation.com/newsletter.html
=====================================================================
TABLE OF CONTENTS
=====================================================================
1..........................................................DESCRIPTION
2..............................................................DETAILS
3.............................................................EXPLOITS
4............................................................SOLUTIONS
5...........................................................WORKAROUND
6..................................................DISCLOSURE TIMELINE
7..............................................................CREDITS
8...........................................................DISCLAIMER
9...........................................................REFERENCES
10............................................................FEEDBACK
1. DESCRIPTION
=====================================================================
Gattaca Server is "A high performance Windows NT based Mail and Web
Server software for building own intranet. You may register unlimited
users, use unlimited domains. Supporting POP3, SMTP, and HTTP
protocols.
Integrated with TMPL library, allow you write own CGI scripts"
(direct quote from http://www.gattaca-server.com/)
2. DETAILS
=====================================================================
- Shows file and directory content :
When sending a GET with 2 slashes ("//"), then the server shows all
files in the directory content. An attacker can see all hidden
(non-HTML linked) files and directories on the server.
- Denial of Service :
A security vulnerability in Gattaca Server 2003 allows remote and
local attackers to cause the server to crash by executing a specific
command (LLIST) with a buffer of 1048 bytes in length or more.
The command can be issued to the server either by using the Gattaca
Console.(C:\WINNT\system32\gattaca.exe)
- Directory Traversal :
A security vulnerability in Gattaca Server 2003 allows remote
attackers to gain access to system files.
- Cross Site Scripting :
A exploitable bug was found in Gattaca Server 2003 which cause
script execution on client's computer by following a crafted url.
This kind of attack known as "Cross-Site Scripting Vulnerability"
is present in view2.tmpl file, an attacker can input specially crafted
links and/or other malicious scripts.
3. EXPLOIT
=====================================================================
- Show file and directory content :
http://[target]//
You will get this :
http://www.security-corporation.com/download/SCSA-019.png
- Denial of Service :
In Gattaca Console :
$> LLIST AAAA...[1024]...AAAA
ggesvr32.exe crash at once.
- Directory Traversal :
http://[target]/view.tmpl?testfile=../../winnt/win.ini
- Cross Site Scripting :
http://[target]/view2.tmpl?text=[hostile_code]
The hostile code could be :
[script]alert("Cookie="+document.cookie)[/script]
(open a window with the cookie of the visitor.)
(replace [] by <>)
4. SOLUTIONS
=====================================================================
No solution for the moment. Vendor fix bugs in the next release.
5. WORKAROUND
=====================================================================
- Show file and directory content :
Vendor response :
For fix this issue, you also need provide additional task
http://[target]//
2 ways:
1) Open notepad %systemroot%\gattaca.ini and remove extension for
configuration file
====================================
[GATTACA]
PATH=C:\GeeOSPub
ENVIRONMENT=C:\GeeOSPub\wwwroot\.config
SITE=C:\GeeOSPub\wwwroot\.config
====================================
Last 2 strings maybe removed, restarting is not needed.
New configuration settings will be updated by Gattaca
Server in 15 seconds.
====================================
[GATTACA]
PATH=C:\GeeOSPub
#ENVIRONMENT=C:\GeeOSPub\wwwroot\.config
#SITE=C:\GeeOSPub\wwwroot\.config
====================================
but you got problem with site sample, and best way is:
2) You may update C:\GeeOSPub\wwwroot\.config file too, it also has
structure
=====================
[HTTPFOLDER]
/=1
=====================
Changed it to
=====================
[HTTPFOLDER]
/=0
=====================
Also if you need view directory index of any folder append your
variables look like:
=
where status is 1 allowed to view, and 0 disabled view.
for example:
[HTTPFOLDER]
/=0
/pub=1
/pub/private=0
Also it is impossible view files started with dot (like .config etc), if
any clients want hide some files from directory index they should start
names of files from dot. It's by design.
- Denial of Service :
Vendor response :
For LLIST command, this is real problem too. But it's possible limit
access to computer where Gattaca Server installed.
- Directory Traversal :
Remove view.tmpl
- Cross Site Scripting :
Use the function php eregi_replace to filter the input data or
remove view2.tmpl
Vendor response :
For exploit (http://[target]/view2.tmpl?text=[hostile_code]) it is not
bug, because response to this GET/POST request got only attacker. And it
impossible to control server response to another client(s). It's by
design. This script (view2.tmpl) made for this purposes (allowing
end-user insert own code/text to output html), and if this work it is
fine. This mean that Gattaca Server properly configured, and work well.
For our opinion this is not bug or exploid, it is possible send data to
this script using GET/POST (POST it's better because client can send
more data)
6. DISCLOSURE TIMELINE
=====================================================================
08/07/2003 Vulnerability discovered
08/07/2003 Vendor notified
09/07/2003 Vendor response
09/07/2003 Security Corporation clients notified
09/07/2003 Started e-mail discussions
10/07/2003 Last e-mail received
10/07/2003 Public disclosure
7. CREDITS
=====================================================================
Discovered by Gregory Le Bras
8. DISLAIMER
=====================================================================
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
9. REFERENCES
=====================================================================
- Original Version:
http://www.security-corporation.com/advisories-019.html
- Version Franšaise:
http://www.security-corporation.com/index.php?id=advisories&a=019-FR
10. FEEDBACK
=====================================================================
Please send suggestions, updates, and comments to:
Security Corporation
http://www.security-corporation.com
info@security-corporation.com